65 Commits

Author SHA1 Message Date
Rob Crittenden
18d4778cf7 Configure endpoints to use SSL natively or via proxy
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.

To enable SSL via proxy, in local.conf add

ENABLED_SERVICES+=,tls-proxy

This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.

To enable SSL natively, in local.conf add:

USE_SSL=True

Native SSL by default will also use the devstack-generate root and
subordinate CA.

You can override this on a per-service basis by setting

<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca

You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.

Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
2014-09-24 18:36:37 -04:00
Brant Knudson
0595237e8a Function for auth_token middleware config
Each project was configuring the auth_token middleware using several
lines of inisets. Since all the projects should configure the
auth_token middleware in the same way create a function and call it.

Change-Id: I3b6727d5a3bdc0ca600d8faa23bc6db32bb32260
2014-09-21 11:18:01 -05:00
Dean Troyer
05bd7b803d Set default API_WORKERS
Set the API_WORKERS default to control memory usage. Maximum is nproc / 2 and
minimum is 2.

* Also updates https://review.openstack.org/#/c/117517/ to remove the
  conditional test as API_WORKERS should always be set.
* Update https://review.openstack.org/#/c/109058/ for ceilometer to use API_WORKERS

The following reviews can move forward either as-is or with minor tweaks:
* Keystone: https://review.openstack.org/#/c/121384/ - remove the if check
* Swift: https://review.openstack.org/#/c/121456/ - unabandon, the default
  to 1 is fine, or remove it to match the others.
* Trove: https://review.openstack.org/#/c/121438/ - remove the if check

https://etherpad.openstack.org/p/devstack-workers has the details

Change-Id: Id28d72ebf01c88b7df301edf7d1dd7ec23fcd0d6
2014-09-19 09:06:21 -05:00
Jenkins
efa18c73ab Merge "Replace screen_it() with run_process() throughout" 2014-09-13 12:38:34 +00:00
Jenkins
d577fdc794 Merge "Allow setting the number of workers to be used." 2014-09-13 07:18:05 +00:00
Jenkins
2b9acae9f2 Merge "Test against latest glance_store code" 2014-09-12 01:07:23 +00:00
Chris Dent
2f27a0ed3c Replace screen_it() with run_process() throughout
run_process will use screen if USE_SCREEN=True (the default),
otherwise it will simply start the requested service. Therefore
wherever screen_it used, run_process can be instead.

Where stop_screen was found it has been replaced with stop_process.

A tail_log function has been added which will tail a logfile in a
screen if USE_SCREEN is True.

lib/template has been updated to reflect the use of the new
functions.

When using sg the quoting in run_process gets very complicated.
To get around this run_process and the functions it calls accepts
an optional third argument. If set it is a group to be used with sg.

Change-Id: Ia3843818014f7c6c7526ef3aa9676bbddb8a85ca
2014-09-11 18:59:39 +01:00
Bob Ball
2f72050ace Allow setting the number of workers to be used.
Environments with large numbers of CPUs will create a large
number of workers which can have an unnecessarily large
impact on memory usage, particular where you know how many
workers are needed.

Change-Id: Ie4bb075310a61a0873c9e56e4974600dbb4794a1
2014-09-09 15:54:36 +01:00
Flavio Percoco
4f78f8f391 Test against latest glance_store code
Install glance_store from git so we can test Glance against master. This
is useful for both, glance and glance_store gates, to make sure nothing
is broken there.

Change-Id: I6c01165c4384c41f46f2c32d64475703b3178dab
2014-09-09 09:37:42 +02:00
Pawel Koniszewski
76e3925dc4 Initialize metadata definitions catalog
This patch copies all files from /etc/metadefs to
/etc/glance/metadefs and calls glance-manage db_load_metadefs
after successful database migration. This covers whole
process of initializing the metadata catalog.

Change-Id: I2ffd19bf543708b42229ef78dd17ee317f58e6ad
Implements: blueprint glance-metadata-definitions-support
Co-Authored-By: Travis Tripp <travis.tripp@hp.com>
2014-09-08 13:38:04 -06:00
Jenkins
81c5ec1050 Merge "Set configs for glance_store" 2014-09-06 01:25:55 +00:00
Flavio Percoco
fe65e2dffa Set configs for glance_store
glance_store uses a new section to keep its configs. This patch
duplicates the existing, store related, config options and sets them
under the glance_store section.

Once glance is fully migrated, the old options will be removed.

Change-Id: Ie3de87cf07a321415d111e644ccbb360c7491151
2014-09-03 16:37:38 +02:00
Jenkins
dc85b3a772 Merge "Clean up local variable usage - Account setup" 2014-08-23 08:25:35 +00:00
Dean Troyer
16ef976007 Clean up local variable usage - Account setup
This does the local var cleanup for the account creation in the following projects:
* Ceilometer
* Glance
* Sahara
* Trove

Change-Id: I67631578f79eeaaf2814db84f0f5c19d93aee4f3
2014-08-19 19:31:38 -05:00
Boris Pavlovic
0d02924639 Setup AMQP properly for glance-registry
As we integrated OSprofiler with Glance:
https://review.openstack.org/#/c/105635/

glance-registry service started using notification API so it requires
proper seted up AMQP.

Change-Id: I0c4bb8a10960ed3ee06b67a209703d7ee81cf1ca
2014-08-13 19:21:56 +04:00
Gael Chamoulaud
6dd8a8bee4 Users in service group should not have email addresses
Change-Id: Ieed9dffce5cf1e735e482dd3494ac1e103b50955
Closes-Bug: 1185201
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2014-07-22 17:29:04 +02:00
Bartosz Górski
0abde393c5 Adds support for multi-region
Change-Id: Ib85fe7cb375692b04aca4c46f61ba7e1fbfa501b
Implements: blueprint multi-region
2014-07-01 14:58:35 +00:00
Jamie Lennox
3561d7f9ed Use identity_uri instead of auth fragments
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.

Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.

identity_uri option was release in keystoneclient 0.8.0

Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
2014-06-16 15:16:48 +10:00
Dean Troyer
42a59c2bfa Complete moving Keystone setup out of keystone_data.sh
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed

Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.

Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
2014-03-10 15:17:30 -05:00
Ian Wienand
aee18c749b Enforce function declaration format in bash8
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check.  Add a note to HACKING.rst

Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
2014-02-28 07:59:03 +11:00
Dean Troyer
e4fa721322 Begin is_service_enabled() cleanup
This converts the special cases in the is_service_enabled() function to call
individual functions declared by the projects.  This allows projects that
are not in the DevStack repo and called via the extras.d plugin to handle
an equivalent service alias.

* Ceilometer
* Cinder
* Glance
* Neutron
* Nova
* Swift

TODO: remove the tests from is_service_enabled() after a transition period

Patch Set 2: Rebased

Change-Id: Ic78be433f93a9dd5f46be548bdbd4c984e0da6e7
2014-02-07 10:06:21 -06:00
Jenkins
56d875cc36 Merge "glance: stop using deprecated notifier_strategy" 2014-02-05 11:46:45 +00:00
Attila Fazekas
85a85f87f8 Use service role with glance service
glance just used to admin role for token validation,
the service role is sufficient for this.

glance also needs an user with enough permission to use swift,
so creating a dedictated service user for swift usage when s-proxy is
enabled.

Change-Id: I6df3905e5db35ea3421468ca1ee6d8de3271f8d1
2014-02-02 10:30:15 +01:00
Julien Danjou
19a3814b9a glance: stop using deprecated notifier_strategy
Change-Id: Ic796f0ad57db45bf053312ad10815461528030b3
2014-01-31 11:00:40 +01:00
Dean Troyer
4237f590b7 Generate Tempest service list rather than hard-code it
The list of services that Tempest used to set its 'service_available'
config values was hard-coded. To be plugin-friendly have each
service (project) add its name to the TEMPEST_SERVICES variable
and use that for setting the 'service_avilable' values.

Change-Id: I208efd7fd0798b18ac2e6353ee70b773e84a2683
2014-01-29 17:25:45 -06:00
Flavio Percoco
c3e5b77b45 Add missing file argument to iniset_multiline
Change Id9aab356b36b2150312324a0349d120bbbbd4e63 introduced a call to
iniset_multiline to enable swift stores explicitly. However, the call
has a missing file argument which resulted in this call setting the
values to the wrong file, section and param. This patch fixes that.

Change-Id: Ib17048e05c467bc8ca2c13fe4297d6bac6c8a880
2014-01-23 18:32:54 +01:00
Jenkins
3e98388d07 Merge "Robustify service shutdown" 2014-01-13 14:09:44 +00:00
Dean Troyer
9fc8792b0a Robustify service shutdown
* Save PID when using screen in screen_it()
* Add screen_stop()
* Call out service stop_*() in unstack.sh functions so screen_stop()
  can do its thing

Closes-bug: 1183449
Change-Id: Iac84231cfda960c4197de5b6e8ba6eb19225169a
2014-01-11 11:46:19 -06:00
Vincent Hou
21fe4e76d5 Add a flexible API version choice for Cinder, Glance and Heat
The version of the authentication url is set to v1.0 for some
projects by default. We can make it configurable via the parameter
"$IDENTITY_API_VERSION".

Closes-Bug: #1253539
Change-Id: I6640e345d1317b1308403c95b13f8a998320241b
2014-01-06 01:22:57 -05:00
Jianing Yang
16312738d1 Correct glance db_sync command
Closes-Bug: #1263431

Change-Id: I30a53adfdd8e00a9995595af2e090190bac241a0
2013-12-22 10:49:28 +08:00
Flavio Percoco
355fc86683 Explicily enable the stores used by devstack
Devstack currently relies on the default value of the `known_stores`
configuration option. This patch enables explicitly the default stores
used by devstack.

The real fix for the issue below will land in Glance. However, since the
default stores will be FS and HTTP we need devstack to enable Swift's as
well, which is required in the gates, hence this patch.

Partially-fixes: #1255556
Change-Id: Id9aab356b36b2150312324a0349d120bbbbd4e63
2013-12-20 18:57:25 +01:00
Jenkins
bddaf0afb6 Merge "Allow deploying keystone with SSL certificates" 2013-12-04 05:36:40 +00:00
Jenkins
5221163125 Merge "edit-glance-manage-command-for-recreate-db" 2013-11-26 11:53:02 +00:00
Jamie Lennox
bd24a8d0f8 Allow deploying keystone with SSL certificates
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.

Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
2013-11-25 22:27:51 +00:00
Adam Spiers
6a5aa7c6a2 Fix some Markdown formatting issues
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.

Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
2013-10-24 17:38:19 +01:00
Sean Dague
101b424842 fix whitespace in the rest of lib/*
this brings this in line with bash8 checker

Change-Id: Ib34a2292dd5bc259069457461041ec9cd4fd2957
2013-10-22 13:02:23 -04:00
JUN JIE NAN
0aa8534ada Using no proxy option to skip wget and curl proxy settings in config
When end users specify proxy settings in config file for wget /etc/wgetrc:
http_proxy = http://...
or for curl ${HOME}/.curlrc:
proxy = http://...

Using `http_proxy="" wget' can not skip the proxy setting in the
config files, also it can skip proxy settings in env viriables.

In order to skip proxy setting in both env and config file, we pass
--no-proxy option for wget, and --noproxy '*' for curl.

Fixes bug #1224836

Change-Id: I2b25aeca9edf2ce4525fb1db325e5e24c18b4d55
2013-09-30 16:03:00 +08:00
AmalaBasha
072d137766 edit-glance-manage-command-for-recreate-db
As per https://bugs.launchpad.net/glance/+bug/1213197, and subsequent
review at https://review.openstack.org/#/c/47161/ Glance-manage commands
are proposed to be subcommands of 'db'. This would require change to the
script to recreate_db which calls the db_sync command.

Implements blueprint edit-glance-manage-command-for-recreate-db
Change-Id: I9470709ec34896dba7a37fdff4791206bb5ef5ed
2013-09-20 16:29:02 +05:30
Dirk Mueller
46d1ba6ef0 Install schema-image.json
Otherwise a warning is logged during startup

Change-Id: I958ab8bb7bce474d3e6854b43bb4709986fb61d4
Fixes: LP Bug#1222797
2013-09-09 14:33:35 +02:00
Mate Lakat
bc2ef929ed xenapi: devstack support for raw tgz image upload
Devstack will recognise the .xen-raw.tgz extensions, and upload them to
glance as raw tgz images with xen pv_mode. This change also adds "tgz" to
the recognised container formats of glance. The changes for raw tgz
support are:

    https://review.openstack.org/#/c/40908/
    https://review.openstack.org/#/c/40909/
    https://review.openstack.org/#/c/41651/

related to blueprint xenapi-supported-image-import-export

Change-Id: I077564587d4303291bb4f10d62bb16380b574106
2013-08-27 11:12:28 +01:00
Ben Nemec
039979424b Allow disabling of debug logging
I find that enabling the debug log level often causes me to miss
important error messages due to the sheer volume of information
logged.  This change allows configuration of the debug option
in a number of the projects so it can be disabled globally
without having to make one-off changes after each re-stack.

Note that this does not apply to Keystone or Swift right now.
They use a different method to configure their logging level and
I'm not as familiar with them so I didn't want to mess with their
settings.

Change-Id: I185d496543d245a644854c8a37f3359377cb978c
2013-08-12 15:01:39 -05:00
Dean Troyer
cc6b443545 Formatting cleanups, doc updates and whatnot
Change-Id: Ica8298353be22f947c8e8a03d8dc29ded9cb26dd
2013-04-09 14:05:32 -05:00
Sean Dague
e4f0cd7eed refactor the install/configure split
configure remains just to generate configs, install now
gets the setup_develop in addition to the git clone. This lets
use remove configure_glanceclient as a function

Change-Id: I68e3e3973d15dc0b4f534662a4f57a9f38f69784
2013-04-01 15:58:22 -04:00
Sean Dague
584d90ec56 add emacs shell-script tagging
for files that don't start with a #! or end in .sh, the added tags
are nice for emacs users to automatically switch to the right mode.

Change-Id: If4b93e106191bc744ccad8420cef20e751cdf902
2013-03-29 14:36:49 -04:00
Dean Troyer
c77b932e16 Move glace's swift config to lib/glance
Change-Id: Icbb355c15bfffe17725ea5cc64cfa5e76c1e74e6
2013-03-29 10:51:01 -05:00
Dean Troyer
995eb927f7 Add clean.sh
clean.sh gets rid of all residue of running DevStack except installed
packages and pip modules.

And it eradicates rabbitmq-server and ts erlang dependencies as well as
the other RPC backends and databases.

Change-Id: I2b9a251a0a151c012bae85a5a2f9c2f72e7700be
2013-03-15 10:30:37 -05:00
Jenkins
820467f20f Merge "Simplify database_connection_url" 2013-03-14 21:12:18 +00:00
Jenkins
f90b2740f7 Merge "Refactor error logging" 2013-03-04 14:12:10 +00:00
Attila Fazekas
7e79d9139f Simplify database_connection_url
* does not expects dynamic scoping.
* does not uses eval.

Change-Id: I5ba4e5b7ffaabbb3c2bddadf9e53a2875de8b7c0
2013-03-03 13:13:36 +01:00
Eoghan Glynn
8c11f5612b Allow qpid to be selected as AMQP provider on precise
Fixes bug 1137667

Previously the auth/sasl config for qpidd was broken, and the
openstack services using RPC were not properly configured.

Now we ensure that:

- the admin qpid_username/password are configured for all services
  (as the qpidd ACL config denies all access to non-admin users)

- the PLAIN sasl mechanism is configured for qpidd (otherwise the
  qpid_password is not propogated)

- the qpidd process has read permission on the sasl DB (otherwise
  thw admin user/apss cannot be verified even if set)

Change-Id: Id6bd675841884451b78f257afe786f494a03c0f7
2013-03-01 12:35:35 +00:00